Packet Sniffing Basics

Imagine this: you're sitting in your local coffee shop sucking down
your morning caffeine fix before heading into the office. You catch
up on your work e-mail, you check Facebook and you upload that financial
report to your company's FTP server. Overall, it's been a
constructive morning. By the time you get to work, there's a
whirlwind of chaos throughout the office. That incredibly sensitive
financial report you uploaded was somehow leaked to the public,
and your boss is outraged by the crass and unprofessional e-mail you
just sent him. Was there some hacker lurking in the shadows that
broke into your company's network and decided to lay the blame on you?
More than likely not. This mischievous ne'er-do-well probably
was sitting in the coffee shop you stopped at and seized the opportunity.

Without some form of countermeasures, your data isn't safe on public
networks. This example is a worst-case scenario on the far end of the
spectrum, but it isn't so far-fetched. There are people out there who
are capable of stealing your data. The best defense is to know what
you can lose, how it can get lost and how to defend against it.

What Is Packet Sniffing?

Packet sniffing, or packet analysis, is the process of capturing any
data passed over the local network and looking for any information
that may be useful. Most of the time, we system administrators use
packet sniffing to troubleshoot network problems (like finding out why
traffic is so slow in one part of the network) or to detect intrusions
or compromised workstations (like a workstation that is
connected to a remote machine on port 6667 continuously when you don't use IRC
clients), and that is what this type of analysis originally
was designed for. But, that didn't stop people from finding more creative
ways to use these tools. The focus quickly moved away from its
original intent—so much so that packet sniffers are considered security
tools instead of network tools now.

Figure 1. A Capture of a Packet of Someone Trying to Log In to a
Web Site

Finding out what someone on your network is doing on the Internet is
not some arcane and mystifying talent anymore. Tools like Wireshark,
Ettercap or NetworkMiner give anybody the ability to sniff network
traffic with a little practice or training. These tools have become
increasingly easy to use and continue to make things easier to
comprehend, which makes them more usable by a broader user base.

Figure 2. Tools like NetworkMiner can reconstruct images that
have been broadcast on the network.

How Does It Work?

Now, you know that these tools are out there, but how exactly do they
work? First, packet sniffing is a passive technique. No one
actually is attacking your computer and delving through all those
files that you don't want anyone to access.
It's a lot like eavesdropping. My computer is just listening in on the
conversation that your computer is having with the gateway.

Typically, when people think of network traffic, they think that it goes
directly from their computers to the router or switch and up to the
gateway and then out to the Internet, where it routes similarly until
it gets to the specified destination. This is mostly true except for
one fundamental detail. Your computer isn't directly sending the data
anywhere. It broadcasts the data in packets that have the destination
in the header. Every node on your network (or switch) receives the
packet, determines whether it is the intended recipient and then
either accepts the packet or ignores it.

For example, let's say you're loading the Web page
http://example.com on your computer "PC". Your computer sends the request
by basically shouting "Hey! Somebody get me
http://example.com!",
which most nodes simply will ignore. Your switch will pass it on
to where it eventually will be received by example.com, which will pass
back its index page to the router, which then shouts "Hey! I have
http://example.com for PC!", which again will be ignored by everyone
except you. If others were on your switch with a packet sniffer, they'd
receive all that traffic and be able to look at it.

Picture it like having a conversation in a bar. You can have a
conversation with someone about anything, but other people are around
who potentially can eavesdrop on that conversation, and although you
thought the conversation was private, eavesdroppers can make use of
that information in any way they see fit.

What Kind of Information Can Be Gathered?

Most of the Internet runs in plain text, which means that most of the
information you look at is viewable by someone with a packet
sniffer. This information ranges from the benign to the sensitive.
You should take note that all of this data is vulnerable only through
an unencrypted connection, so if the site you are using has some form
of encryption like SSL, your data is less vulnerable.

The most devastating data, and the stuff most people are concerned
with, is user credentials. Your user name and password for any given
site are passed in the clear for anyone to gather. This can be
especially crippling if you use the same password for all your
accounts on-line. It doesn't matter how secure your bank Web site
is if you use the same password for that account and for your
Twitter account. Further, if you type your credit-card information into an
unsecure Web page, it is just as vulnerable, although there aren't many
(if any) sites that continue this practice for that exact reason.

hubs will broadcast all the packets to all the computers. Switches are a bit smarter and will try send each packet to the respective computer. However, someone from inside the network can try to ARP poison the switch and hope that the switch will fail-open; that turns the switch into a hub.

It is possible to use ARP redirection as a man in the middle attack. That's a more effective way to sniff as you aren't simply grabbing the traffic from the air, but the host is purposefully sending you their traffic. That will allow the sniffer to received all encrypted data as well as plain text.

As others have mentioned, the author doesn't have enough fundamental knowledge of how switch and router work. Being a somewhat security-related article, information should be as accurate as possible. It is advised to make the correction ASAP for the sake of other readers, as such misleading information would even hurt the reputation of linuxjournal.com

Hello,
Things don't work exactly as described here. For example, in a switched network you will receive only the broadcast and multicast traffic. Not all packets. The ARP is a broadcast, but after the ARP table is formed, on the PC, the computer communicates with the gateway through MAC address and the switch does not broadcast the packets.

You can capture all packets in wireless networks, where the information is sent through the air to the AP or in a network with a hub. All PC connected to the hub can "see" each others packets.

I would also suggest the use of https everywhere. It's a firefox addon from the eff folks, which basically enforces https on sites which support it. Though it's no use for most sites as they don't support https, but as the use of https is increasing these days, this addon makes it more convenient to switch to the https versions of the websites.

I'm not keen on the sentence that reads "For instance, Google allows you to turn SSL on all the time within Gmail, thus encrypting all your e-mail traffic."

This sentence is written in such a way that makes it sound like email is encrypted when sent through GMail. This is, of course, incorrect. Only the HTTPS session between your browser and the GMail web server is encrypted. GMail will still send your email across the Interwebs unencrypted.

It's amazing to me how often I run across this misconception. I've even had irate clients send me a screen cap of their GMail inbox with the HTTPS in the address bar circled to "prove" that their email is being sent encrypted. Very disturbing how uninformed people are about the lack of privacy in email.

While there is such a thing as a layer-3 switch (a switch with routing capability), in general switches do *not* connect networks. *Routers* connect networks. The difference between a switch and a hub is that a hub rebroadcasts traffic it receives on one port to every port, every time. A switch will broadcast the traffic when it doesn't have a the destination MAC address in its lookup table, but will transmit traffic only through the port that the recipient is connected to (or to the router, if the destination is on a different network) when the recipient's MAC address does exist in the lookup table.

This makes switched network considerably more secure than a network connected through a hub because Joe User can't just sniff everybody else's network traffic on a switched network. This is why, IMHO, this article is just a little bit alarmist. However, the danger is very real if you are connecting to an open WiFi network at the local coffee shop.

yes! which makes wired connection inherently secure and sniffing is not as breeeze as the article suggests. Because, we all use switches havent seen a hub for more than 10 years now :)
so the weak point nowadays is wifi, no matter what you do your packet might be compromised!

considering this I often choose performance over security and configure home wifi as open with MAC filtering on.
makes routers faster and still i have 'some' control over who is on the hotspot. in case you are that techy to sniff the packets around and found the list of probable MAC address, you are WELCOME aboard :P